With the Data Protection Bill withdrawn in parliament and new legislation upcoming, India stands at the precipice of change. The upcoming Bill must reorient its focus on obtaining data adequacy and facilitating free cross-border flows of data.On August 3, the government withdrew the much-anticipated Personal Data Protection Bill from the Lok Sabha.It’s been five years since the Supreme Court held the right to privacy to be a fundamental right and directed the government to bring out a comprehensive data protection regime. Minister of Information and Technology Ashwini Vaishnaw said that the government will present a fresh bill incorporating suggestions of the Joint Committee of Parliament, in the Budget session next year.Data protection legislation defines procedures that apps must follow when collecting, storing and processing data in India.Without such a framework, companies would have to examine regulations and remedies provided in a variety of acts such as the Information Technology Act, 2000, Payment and Settlement Systems Act, 2007, and SEBI Data Sharing Policy, 2019, among others. This is a fragmented and suboptimal approach to protecting user rights.A comprehensive data protection law is not only necessary to protect users’ rights and promote the ease of doing business, but it also plays an important role in economic and foreign policy. Cross-border data flows are essential to international digital trade and a fragmented framework can affect transactions and investments. Further, adequate data protection is a prerequisite to trade with the European Union and other major Asian and Pacific countries. It is also central to negotiations of modern free trade agreements. For instance, there is a chapter on digital trade in India’s latest Free Trade Agreement with the United Arab Emirates.Also read: What Could the Future of Indian Data Protection Law Look Like?The withdrawal of the Data Protection Bill was criticised because many were deeply invested in the process and the outcome. However, its withdrawal is also an opportunity for India to reimagine data protection. A revised bill can prioritise cross-border flows of data while keeping data adequacy at its core.There are two broad approaches to data protection globally.One is the China-Russia model focused on ‘localisation’. Personal data on Russian citizens must be kept in Russia. The country’s data localisation law even contains a provision that allows it to block websites that don’t process Russian data in Russia. A similar provision is present in China’s Personal Information Protection Law.On the other hand, there’s the EU model of trust-based approaches to relatively unrestricted cross-border flows of data. There is no blanket prohibition on storage or processing in any other country as long as they maintain data protection standards, comparable to its General Data Protection Regulation ― the criteria are defined in Article 45.India has flirted with both approaches.The Data Protection Bill, 2021 includes provisions on data localisation that restricts the transfer of sensitive and critical personal data. But earlier this year, India made a joint declaration with the EU and several other countries on the importance of fostering data free flow with trust. It is imperative to proceed on this path. Further, India’s IT exports have grown steadily over the past decade. In 2020-21, India’s export of software services was estimated at $133.7 billion. Around 54.8% was bound for the US and 30% for Europe.Free flow of data is essential for India to become an important player in the international trade regime, which is increasingly digital. Localisation poses a threat to innovation and places a high infrastructure and financial burden on businesses. Further, without the necessary institutional capacities to safely store this data, data localisation does not provide any additional privacy protections.Also read: Lessons India Can Draw From Sri Lanka’s Efforts With Data Protection LegislationData localisation is often pitted against the risks that the free flow of data may pose to citizens. This is a false dichotomy. India’s endeavour toward cross-border data flows can be tempered with appropriate focus on data adequacy. This would involve establishing an independent Data Protection Authority vested with the power to enforce the law and provide remedies. Further, the upcoming data protection framework must enshrine privacy principles such as purpose limitation, data minimisation, transparency, and endeavour to protect users’ right to access, correct and erase their data. There must be safeguards placed on the access and use of personal data by public authorities. These are some of the standards present in international privacy protection frameworks. India should also ensure that data is transferred only if the recipient country can offer a comparable level of protection.Rather than attempting a hybrid between the China-Russia model and the EU model, India’s approach must be uniquely tailored for the country’s growing digital ambitions. Data protection legislation must achieve market access while protecting user rights. The framework must be geared towards obtaining data adequacy, strengthening domestic institutions that enforce privacy laws, and ultimately safeguarding citizens’ rights.Vaishnavi Prasad is Research Assistant, Esya Centre, New Delhi.This piece was first published on The India Cable – a premium newsletter from The Wire & Galileo Ideas – and has been republished here. To subscribe to The India Cable, click here.
